=============================================================
@@@@ @@@@ @@@ @@@@ @ @ @@@@ @@@@ @@@@@
@ @ @ @ @ @ @ @ @ @ @ @
@@@@ @@@ @ @ @@@@@ @ @@@ @@@ @
@ @ @ @ @ @ @ @ @ @ @
@@@@ @ @@@ @@@@ @ @ @@@@ @@@@ @ @ @
============================================================
Volume 1.04 (special edition) July 21, 1994
------------------------------------------------------------
Published by the
Electronic Privacy Information Center (EPIC)
Washington, DC
(Alert@epic.org)
=======================================================================
Table of Contents
=======================================================================
SPECIAL EDITION -- "SON OF CLIPPER"
[1] Administration "Reversal" on Clipper
[2] EPIC Statement
[3] Letter from Gore to Cantwell
[4] What You Can Do (Email the VP)
[5] Upcoming Conferences and Events
=======================================================================
[1] Administration "Reversal" on Clipper
=======================================================================
A letter from Vice President Al Gore to Representative Maria
Cantwell (D-WA) sent this week during Congressional debate on the
Export Administration Act has raised important questions about the
current state of the Clipper proposal. Some have hailed the statement
as a major reversal. Others say the letter seals a bad deal.
Below we have included the letter from the Vice President, a
statement from EPIC, and recommendations for further action.
=======================================================================
[2] EPIC Statement on Gore Letter to Cantwell
=======================================================================
News reports that the Clinton Administration has reversed
itself on encryption policy are not supported by the letter from Vice
President Gore to Maria Cantwell regarding export control policy. In
fact, the letter reiterates the White House's commitment to the NSA's
key escrow proposal and calls on the private sector to develop
products that will facilitate electronic surveillance.
The letter from the Vice President calls on the government and
the industry to develop jointly systems for key escrow cryptography.
Key escrow is the central feature of the Clipper chip and the NSA's
recommended method for electronic surveillance of digital
communications.
The letter also reaffirms the Administration's support for
Clipper Chip as the federal standard for voice networks. There is no
indication that the White House will withdraw this proposal.
Statements that Clipper is "dead" are absurd.
The letter offers no changes in export control policy. It
recommends instead that the status quo be maintained and that more
studies be conducted. (The White House already completed such a
study earlier this year. The results were never disclosed to the
public, despite EPIC's request for release of the findings under the
Freedom of Information Act.)
This is a significant setback for groups expecting that export
control laws would be revised this year.
The White House expresses a willingness to allow unclassified
algorithms and to hold key escrow agents liable for misuse. These are
the only provisions of the Gore letter favorable to the user
community. But neither provision would even be necessary if the White
House did not attempt to regulate cryptography in the first place.
The Administration's willingness to accept private sector
alternatives to Clipper for data networks essentially ratifies an
agreement to develop "wiretap ready" technologies for data networks.
We believe the letter from the Vice President is essentially
a blueprint for electronic surveillance of digital networks. The
government will set out the requirements for surveillance systems such
as key escrow, and the industry will build complying systems.
The plan dovetails neatly with the FBI's Digital Telephony
proposal, which will establish legal penalties for companies and users
that design systems that cannot be wiretapped.
We do not believe this is in the interests of users of the
information highway. Key escrow necessarily weakens the security and
privacy of electronic communications. It makes networks vulnerable to
tampering and confidential messages subject to compromise. It is the
approach urged by organizations that specialize in electronic
eavesdropping. No group of Internet users has ever called for key
escrow encryption.
If this proposal goes forward, electronic surveillance will
almost certainly increase, network security will be weakened, and
people who design strong cryptography without key escrow could become
criminals. This is not a victory for freedom or privacy.
We support unclassified standards and relaxation of export
controls. We cannot support the premise that the government and
industry should design key escrow systems. We also do not believe
that Clipper is an appropriate standard for federal voice
communications.
We are asking the Vice President to reconsider his position
and urging network users to make known their concerns about the
proposal.
Electronic Privacy Information Center
Washington, DC
July 21, 1994
=======================================================================
[3] Letter from Gore to Cantwell
=======================================================================
THE VICE PRESIDENT
WASHINGTON
July 20, 1994
The Honorable Maria Cantwell House of Representatives Washington, DC
20515
"Dear Maria,
"I write today to express my sincere appreciation of your
efforts to move the national debate forward on the issue of
information security and export controls. I share your strong
conviction for the need to develop a comprehensive policy regarding
encryption, incorporating an export policy that does not disadvantage
American software companies in world markets while preserving our law
enforcement and national security goals.
"As you know, the Administration disagrees with you on the
extent to which existing controls are harming U.S. industry in the
short run and the extent to which their immediate relaxation would
affect national security. For that reason we have supported a
five-month Presidential study. In conducting this study, I want to
assure you that the Administration will use the best available
resources of the federal government. This will include the active
participation of the National Economic Council and the Department of
Commerce. In addition, consistent with the Senate-passed language,
the first study will be completed within 150 days of passage of the
Export Administration Act reauthorization bill, with the second study
to be completed within one year after the completion of the first. I
want to personally assure you that we will reassess our existing
export controls based on the results of these studies. Moreover, all
programs with encryption that can be exported today will continue to
be exportable.
"On the other hand, we agree that we need to take action this
year to ensure that over time American companies are able to include
information security features in their program in order to maintain
their international competitiveness. We can achieve this by entering
into a new phase of cooperation among government, industry
representatives and privacy advocates with a goal of trying to develop
a key escrow encryption system that will provide strong encryption, be
acceptable to computer users worldwide, and address our national
security needs as well.
"Key escrow encryption offers a very effective way to
accomplish our mutual goals. That is why the Administration adopted
the key escrow encryption standard in the "Clipper Chip" to provide
very secure encryption for telephone communications while preserving
the ability for law enforcement and national security. But the
Clipper Chip is an approved federal standard for telephone
communication and not for computer networks and video networks. For
that reason, we are working with industry to investigate other
technologies for these applications.
"The administration understands the concerns that industry has
regarding the Clipper Chip. We welcome the opportunity to work with
industry to design a more versatile, less expensive system Such a key
escrow scheme would be implementable in software, firmware or
hardware, or any combination thereof, would not rely on a classified
algorithm, would be voluntary, and would be exportable. While there
are many severe challenges to developing such a system, we are
committed to a diligent effort with industry and academics to achieve
such a system. We welcome your offer to assist us in furthering this
effort.
"We also want to assure users of key escrow encryption
products that they will not be subject to unauthorized electronic
surveillance. As we have done with the Clipper Chip, future key
escrow schemes must contain safeguards to provide for key disclosure
only under legal authorization and should have audit procedures to
ensure the integrity of the system. Escrow holders should be strictly
liable for releasing keys without legal authorization.
"We also recognize that a new key escrow encryption system
must permit the use of private-sector key escrow agents as one option.
It is also possible that as key escrow encryption technology spreads,
companies may establish layered escrowing services for their own
products. Having a number of escrow agents would give individuals and
businesses more choice and flexibility in meeting their needs for
secure communications.
"I assure you the President and I are acutely aware of the
need to balance economic and privacy needs with law enforcement and
national security. This is not an easy task, I think that our
approach offers the best opportunity to strike an appropriate balance.
I am looking forward to working with you and others who share our
interest in developing a comprehensive national policy on encryption.
I am convinced that our cooperative endeavors will open new creative
solutions to this critical problems."
Sincerely
/s/ Al Gore
=======================================================================
[4] What You Can Do (Email the VP)
=======================================================================
The Clipper debate has reached a critical juncture. The White House
and industry are about to seal a deal to make key escrow the standard
for encrypted communications. If you believe that individuals should
have the right to make full use of new technologies to protect
privacy, now is the time for your voice to be heard (and your email to
be sent).
EMAIL the Vice President at vice.president@whitehouse.gov
- Thank him for the Administration's willingness to reconsider its
views on Clipper
- Express support for the decision to support unclassified algorithms
and liability for key escrow agents
- But urge him not to require key escrow as a standard for encryption
products
- Emphasize that key escrow is the soul of Clipper, the method for
conducting electronic surveillance of digital communications
- Call for extensive testing and studies before any key escrow system
is deployed
You should also:
- Urge him to withdraw Clipper as a standard for voice communications
- Urge him to support relaxation of export controls
- Ask for the public release of the earlier White House study on
cryptography
- Ask for the public release of White House documents reviewing the
weaknesses of the key escrow proposal
The Vice President has clearly shown a willingness to listen
to the concerns of the user community on this issue. Your letter
could make a difference.
=======================================================================
[5] Upcoming Privacy Related Conferences and Events
=======================================================================
DEF CON ][ ("underground" computer culture) "Load up your laptop
Muffy, we're heading to Vegas!" The Sahara Hotel, Las Vegas, NV. July
22-24. Contact: dtangent@defcon.org.
Hackers on Planet Earth: The First US Hacker Congress. Hotel
Pennsylvania, New York City, NY. August 13-14. Sponsored by 2600
Magazine. Contact: 2600@well.sf.ca.us.
Technologies of Surveillance; Technologies of Privacy. The Hague, The
Netherlands. September 5. Sponsored by Privacy International and EPIC.
Contact: Simon Davies (davies@privint.demon.co.uk).
16th International Conference on Data Protection. The Hague,
Netherlands. September 6-8. Contact: B. Crouwers 31 70 3190190
(tel), 31-70-3940460 (fax).
CPSR Annual Meeting. University of California, San Diego. October 8-9.
Contact: Phil Agre
Symposium: An Arts and Humanities Policy for the National Information
Infrastructure. Boston, Mass. October 14-16. Sponsored by the Center
for Art Research in Boston. Contact: Jay Jaroslav
(jaroslav@artdata.win.net).
Third Biannual Conference on Participatory Design, Chapel Hill, North
Carolina. October 27-28. Sponsored by CPSR. Contact:
trigg@parc.xerox.com.
Ethics in the Computer Age Conference. Gatlinburg, Tennessee. November
11-13. Sponsored by ACM. Contact: jkizza@utcvm.utc.edu
(Send calendar submissions to Alert@epic.org)
=======================================================================
To subscribe to the EPIC Alert, send the message:
SUBSCRIBE CPSR-ANNOUNCE Firstname Lastname
to listserv@cpsr.org. You may also receive the Alert by reading the
USENET newsgroup comp.org.cpsr.announce
=======================================================================
The Electronic Privacy Information Center is a public interest
research center in Washington, DC. It was established in 1994 to
focus public attention on emerging privacy issues relating to the
National Information Infrastructure, such as the Clipper Chip, the
Digital Telephony proposal, medical record privacy, and the sale of
consumer data. EPIC is sponsored by the Fund for Constitutional
Government and Computer Professionals for Social Responsibility. EPIC
publishes the EPIC Alert and EPIC Reports, pursues Freedom of
Information Act litigation, and conducts policy research on emerging
privacy issues. For more information email info@epic.org, or write
EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington, DC 20003. +1
202 544 9240 (tel), +1 202 547 5482 (fax).
The Fund for Constitutional Government is a non-profit organization
established in 1974 to protect civil liberties and constitutional
rights. Computer Professionals for Social Responsibility is a national
membership organization of people concerned about the impact of
technology on society. For information contact: cpsr-info@cpsr.org
------------------------ END EPIC Alert 1.04 ------------------------